Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

New Mac Exploit Easily Bypasses Gatekeeper Security, Could Allow Installation of Malicious Apps

konqerror said:
You have a quaint and obsolete notion. What's "trusted"? You want, for example, VLC, you have to download it from a unpaid network of mirrors. Commercial software comes from various CDNs. Even the Apple stores allow local caching proxies (using OS X Server), so you may not be downloading from Apple. How do you know it wasn't tampered with in the CDN? Did you use TLS/HTTPS when you downloaded it? How do you know somebody on the network didn't tamper with it then?
Click to expand...

Is that a serious question?! You calculate the checksum (MD5, SHA1, ... ) of the binary you just downloaded and compare it against whatever values the /original/ website provides. If a mismatch: someone has tampered with the file!

It's as easy as that!
 
till213 said:
Is that a serious question?! You calculate the checksum (MD5, SHA1, ... ) of the binary you just downloaded and compare it against whatever values the /original/ website provides. If a mismatch: someone has tampered with the file!

It's as easy as that!
Click to expand...

Users just don't do that. A small subset of power users do that. The whole point of Gatekeeper is to protect the masses who want transparent security they don't have to think about.
 
Quu said:
You're not reading what I said correctly.

I'm saying, using a signed application that Gatekeeper does allow to run you can run programs that do not have the ability to run with Gatekeeper activated. This is giving unsigned programs privileges that only signed ones have. That is how it's a privilege escalation issue.

Gatekeeper should be giving a dialog box to the user each time a new application is run full stop, even ones launched by other processes that are already running and that are signed.
Click to expand...

But the source program is trusted. If their program is malicious, Apple will revoke their certificate and it would no longer be trusted.
 
KALLT said:
I suppose you know that you can bypass Gatekeeper for unsigned apps by opening them from the context menu? There’s no reason for disabling Gatekeeper unless you want to install apps that Gatekeeper deems compromised. How does this get in the way exactly? Gatekeeper has nothing to do with the App Store.
Click to expand...
yeah, but no

Also, Gatekeeper does have to do with the App Store, they go hand in hand... just check the 3 options in system preferences. In the first iterations I think it was only 2 options App Store or allow everything if I remember correctly.

xWhiplash said:
Limited in what way? Logic and Final Cut are from the App Store. Pixelmator too. Apps are only limited by the developer, not the app store.
Click to expand...
Unless they changed it, app store apps are sandboxed so you don't have access to the full mac which certain apps require or would perform better.
 
xWhiplash said:
But the source program is trusted. If their program is malicious, Apple will revoke their certificate and it would no longer be trusted.
Click to expand...

You are totally correct. However as we've seen when money is involved attackers will go above and beyond to get people infected. It is not beyond their means to steal credentials from legitimate developers through phishing attacks and targeted social engineering.

We've also seen where developers leave sensitive information to login to their data centres in github source code allowing an attacker to root around their office network potentially stealing Apple dev account credentials etc

The point is, it's not difficult to just have Gatekeeper verify processes are signed at the point they launch by any means and not just when launched by the user double clicking the app binary from a downloaded disk image. It's a hole, they should and can easily solve this problem.
 
Quu said:
You are totally correct. However as we've seen when money is involved attackers will go above and beyond to get people infected. It is not beyond their means to steal credentials from legitimate developers through phishing attacks and targeted social engineering.

We've also seen where developers leave sensitive information to login to their data centres in github source code allowing an attacker to root around their office network potentially stealing Apple dev account credentials etc

The point is, it's not difficult to just have Gatekeeper verify processes are signed at the point they launch by any means and not just when launched by the user double clicking the app binary from a downloaded disk image. It's a hole, they should and can easily solve this problem.
Click to expand...

I have seen a lot of programs use utility programs though. Do you know how much of a pain that will be?
 
Carlanga said:
yeah, but no

Also, Gatekeeper does have to do with the App Store, they go hand in hand... just check the 3 options in system preferences. In the first iterations I think it was only 2 options App Store or allow everything if I remember correctly.
Click to expand...

Sure, but if you don’t use the App Store then it doesn’t matter. Regardless which option you choose, App Store apps will always be allowed and you can’t obtain valid App Store apps from anywhere else (they’re signed by Apple, not developers). So the point is practically uninteresting. Signed apps from outside of the App Store is a different matter and I see no reason why you would disable Gatekeeper, other than for installing applications that Gatekeeper recognises as being tampered with after being signed or whose keys have been revoked by Apple (which rarely happens and only if there is a serious concern). How often does this happen and when it happens, why would you even do this?

XcodeGhost made its way on to developer computers because people were stupid enough to disable and purposely ignore the basic protection Gatekeeper provides. All Gatekeeper does it tell you whether the signature of a signed application is valid.
 
Last edited:
xWhiplash said:
I have seen a lot of programs use utility programs though. Do you know how much of a pain that will be?
Click to expand...

If Apple implemented it smart, when you first open an Application that has dependencies as sub-processes it would bring up a box listing each individual process and you could allow them all or not. Then any extras it loads which aren't listed at the start could bring up dialogs.

Remember though I'm not saying it brings this up every time you launch programs, only the first time then it remembers it until the binary is changed completely or becomes unsigned. For signed programs from the App Store there would be no need so it's only a small subset of professional software and apps that need system wide access that would have these dialogs, ones people source outside the App Store.
 
KALLT said:
I’m really puzzled by this. Why?
Click to expand...
Too many legit, safe programs are unsigned, and we need to use them. There's no point in using Gatekeeper if you have to make exceptions all over the place. Same problem exists with Microsoft's implementation in Windows, only even worse. The idea doesn't work unless everything good is signed.
 
unplugme71 said:
Yup. I hate having to turn it on and off in System Prefs. It should just pop up with a one time over ride
Click to expand...
It's already there. Hold down CTRL, click the application, and choose Open from the context menu. The following dialog allows you to open it after reading a warning.
 
till213 said:
Is that a serious question?! You calculate the checksum (MD5, SHA1, ... ) of the binary you just downloaded and compare it against whatever values the /original/ website provides. If a mismatch: someone has tampered with the file!

It's as easy as that!
Click to expand...
I know exactly how that works. It sounds easy, yet Gatekeeper apparently fails to do it properly. :/
 
sudo1996 said:
Too many legit, safe programs are unsigned, and we need to use them. There's no point in using Gatekeeper if you have to make exceptions all over the place. Same problem exists with Microsoft's implementation in Windows, only even worse. The idea doesn't work unless everything good is signed.
Click to expand...

But opening unsigned applications is still trivial. Just right-click > open and select open on the dialog. A hassle of a few seconds at best. For that you get the additional security of a check for applications that are signed and it’s a constant reminder that you are installing an application from a developer that doesn’t bother signing their apps (which serious developers should do). Unless you are installing so many programs daily that this is an actual hassle, there is no good reason for disabling this.

sudo1996 said:
I know exactly how that works. It sounds easy, yet Gatekeeper apparently fails to do it properly. :/
Click to expand...

A checksum would do the exact same thing, unless the entire archive or bundle is checked. When a developer doesn’t distribute their program as a single .app bundle then Gatekeeper will obviously not check the entire package.
 
KALLT said:
But opening unsigned applications is still trivial. Just right-click > open and select open on the dialog. A hassle of a few seconds at best. For that you get the additional security of a check for applications that are signed and it’s a constant reminder that you are installing an application from a developer that doesn’t bother signing their apps (which serious developers should do).
Click to expand...
I didn't even know about that. I got pissed at Gatekeeper the moment it wouldn't let me open stuff and disabled it. I'd still make exceptions for about half the things I open... But I just realized it's actually useful for a reason you didn't mention: If I'm opening an application that I know should be signed (e.g. one from Apple), it had better pass Gatekeeper. Still only a minor advantage since I'll usually only download signed stuff from the developer's site, but I'll try using it. I just hope the verification won't get in the way when, say, an unsigned program tries to launch another unsigned helper program.
 
Last edited:
sudo1996 said:
I didn't even know about that. I got pissed at Gatekeeper the moment it wouldn't let me open stuff and disabled it. I'd still make exceptions for about half the things I open... It's actually useful for a reason you didn't mention: If I'm opening an application that I know should be signed (e.g. one from Apple), it had better pass Gatekeeper.
Click to expand...

Exactly. That’s why I can’t understand why anyone would disable it. Gatekeeper will only become a problem when something is actually wrong with an application. To me that’s almost the equivalent of disabling the SSL certificate validation in your browser when you’re accessing a website over HTTPS protocol. It would undermine the whole point of this type of security, because you’re relying on the validity of a certificate and integrity of the recipient or software. When developers specifically sign their applications to let you verify that they’re legit when you download them, why would you not make use of that?
 
"Oh no! Gatekeeper isn't doing the thing it was never designed to do!"
-Internet people
 
"Photos for Mac won't stop the installation of malicious code. While it isn't a bug, it is a limitation in the software".

#equivalentstatement
 
J. Jizzle said:
You are always going to be safer using Mac devices than Android or Windows devices.
Click to expand...

Thats a bold statement. But as always macusers tend to tell an opinion and state it as a fact.

Looking at the facts, they do tell a different story:
http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

OS-chart.jpg
 
  • Like
Reactions: jedifaka
JimmyHook said:
No, no, no. Apple checks App Store apps to see if they behave in this manner. This is more about random web downloads
Click to expand...
But didn't the article say this also applies with even the highest Gatekeeper security settings?

> Even if Gatekeeper is enhanced to its highest level of security settings, the new exploit can take advantage of a computer.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back